Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:18 a.m.	Sept. 30, 2024, 11:26 a.m.

Size	279.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aef23e8a6616618755598ea6643c457d`
SHA256	`59cff64a3aa382c45295501bf723c99008281ec94a129117f2849c198cd5fae7`
CRC32	`BAD031A9`
ssdeep	`6144:wwIF/kr0LzZRCoijTS6mE6VdcBQDUlu9t4jPvjpToVm:w//EozZ4oinS6mE6zaBQ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

bin.exe "C:\Users\test22\AppData\Local\Temp\bin.exe"
2656
ieUnatt.exe "C:\Windows\SysWOW64\ieUnatt.exe"
2772
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  3032
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.inastra.online	A 208.91.197.27	208.91.197.27
www.aaavvejibej.bond	A 172.67.181.150 A 104.21.31.249	104.21.31.249
www.qmmkl.buzz	A 199.115.230.222	199.115.230.222
www.ortenckt.online	CNAME ortenckt.online A 15.197.148.33 A 3.33.130.190	3.33.130.190
www.tophcom.online	A 162.213.249.216	162.213.249.216
www.ks1x7i.vip	A 3.33.130.190 CNAME ks1x7i.vip A 15.197.148.33	3.33.130.190
www.chalet-tofane.net	CNAME chalet-tofane.net A 62.149.128.40	62.149.128.40
www.deikamalaharris.info	A 3.33.130.190 A 15.197.148.33 CNAME deikamalaharris.info	3.33.130.190
www.healthyloveforall.net	CNAME healthyloveforall.net A 15.197.148.33 A 3.33.130.190	15.197.148.33
www.yu12345.xyz	A 154.82.100.162 A 154.82.100.177 CNAME wmnfkj.a.1112dns.com	154.82.100.162
www.asiapartnars.online	A 3.33.130.190 CNAME asiapartnars.online A 15.197.148.33	15.197.148.33
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
104.21.31.249	Active	Moloch
15.197.148.33	Active	Moloch
154.82.100.162	Active	Moloch
162.213.249.216	Active	Moloch
164.124.101.2	Active	Moloch
199.115.230.222	Active	Moloch
208.91.197.27	Active	Moloch
3.33.130.190	Active	Moloch
45.33.6.223	Active	Moloch
62.149.128.40	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (21 events)

request	POST http://www.inastra.online/gbk4/
request	GET http://www.inastra.online/gbk4/?YL4Xuo8=Xcz/lKtmYzaclw30mRutCrMz0iCvMoWn4C+TPx5KwIQWTY7xXXdhjUXlNPIh25/crbVrIq+nqpDO6TzyKKRH1LwSOwIdyX9mToTVu2V82ZZJItXHAeKXLpKG0S9SlUSIj/WTYQM=&juF=JFgRcS6ZmEX
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
request	POST http://www.ortenckt.online/aj1a/
request	GET http://www.ortenckt.online/aj1a/?YL4Xuo8=Ur0ZWyFT8OiEfJLn3yPLdSBdWX8a8l8OC6gmTkbLwRlGrqwEpeuLxkPxSjH/HqLy3xgFwJuVqXT+/HpjTyaqXcBPjlyI/3D9P6Efe5WF0giYwWm9vrm6ZqnLm72faS9ZVKNPUgI=&juF=JFgRcS6ZmEX
request	POST http://www.ks1x7i.vip/dlcs/
request	GET http://www.ks1x7i.vip/dlcs/?YL4Xuo8=w6QiAdP8awPLsa7dPlQNtgvFVHWdhtnaseEO6V4cXiHKOPXUCZsKWJ9BGfaAmTYzhN2K6Z5BOaQngwCX0AepSI0rlStBxd2X44bqJ9X+cKgImybpEIaXAhb5orDW/Ux0f9JI5tE=&juF=JFgRcS6ZmEX
request	POST http://www.aaavvejibej.bond/j82t/
request	GET http://www.aaavvejibej.bond/j82t/?YL4Xuo8=NfWXDnAQh5K3pnOsCF0vDii8tXVcfmo/Yfv/BKk9TV5fOF3SI/PjI16lUcBoGutUdhauXHkkA4AYZcOT8aQA2N1B1+ukfsmATKdKfQuCh0ukTvZla/6w1Gm/BhFsxzKoGcO0xyo=&juF=JFgRcS6ZmEX
request	POST http://www.deikamalaharris.info/lrgf/
request	GET http://www.deikamalaharris.info/lrgf/?YL4Xuo8=hLl6Iyyv1/RGmZWkf5wh2yQvtjTpeji4gm2wi1fTCYCBRK5IakRwAMv3vntWZSb514WYAvfIVrM3RAyCjUSkRZGkPQg369vB4a8W0zuuOFNbaqB8dz2rlOz6hc3LPF0c7/Wc2h4=&juF=JFgRcS6ZmEX
request	POST http://www.tophcom.online/vfa8/
request	GET http://www.tophcom.online/vfa8/?YL4Xuo8=yTDEjSVS0lCRYcLLSbErnDAkT0JZNa8zZB0jcnDiZYtjnJOoqq5Z40Gn1U7J3oatl6C8awuakmbsKCgMViK0oesm5qwmAD1qOIwHCZzBZd3TJmynBSVD9f0/1JF0ONRaQoLyR2E=&juF=JFgRcS6ZmEX
request	POST http://www.chalet-tofane.net/obbp/
request	GET http://www.chalet-tofane.net/obbp/?YL4Xuo8=q8u4kFvwJtfA9Pl1ds3tjQ7ow4KT7LOOGaMFAF6owipiqs4LNofKW4Y9CH1Win64WDwfsJ4uRP0wkw8hq3GbZS6kjA9nI0yHzN0mlQXpHN0/trnvSXB4Lf7XHG3+J/AtNs7QOpo=&juF=JFgRcS6ZmEX
request	POST http://www.healthyloveforall.net/566f/
request	GET http://www.healthyloveforall.net/566f/?YL4Xuo8=81geMJs5jQmVeK4i+zN1aXdgkXoAl5xwgeOmc9jTU6Fy38DzzGnJ7+rIeILM3vuuxnxtHSDzEYKSpKxEJp8TaMn+YY9ZjvrM5UkR73FkAqX/axSnrZS74daOnbcz5lsS/OUHPys=&juF=JFgRcS6ZmEX
request	POST http://www.asiapartnars.online/tkmh/
request	GET http://www.asiapartnars.online/tkmh/?YL4Xuo8=xPv3ed6Vo6P/OeD9iYc0axaLiCbQz9tO+ter//brXKVYevLLhvaYqC5awYxtTwn3UYU3uWYA8pDaQLyA3tguhPnmONlJZZk7g7tUcQtoghx7Pdn1Dg+KuHxXpvtQneLtoLRoCkY=&juF=JFgRcS6ZmEX
request	POST http://www.yu12345.xyz/mnl8/
request	GET http://www.yu12345.xyz/mnl8/?YL4Xuo8=RGOQJd/YEggQptEhSR7QqNo9UXjxoHpnx+ZpwzxB5TUNCs3vZOAWVTa00MSp05vDjRsJpPlMBwR2f8tV0y9dQ8/CXq/FAb0GI/CYzLlsH+CYRwfr/US/g2IdAuaggqbc54PbH5Q=&juF=JFgRcS6ZmEX

Sends data using the HTTP POST Method (10 events)

request	POST http://www.inastra.online/gbk4/
request	POST http://www.ortenckt.online/aj1a/
request	POST http://www.ks1x7i.vip/dlcs/
request	POST http://www.aaavvejibej.bond/j82t/
request	POST http://www.deikamalaharris.info/lrgf/
request	POST http://www.tophcom.online/vfa8/
request	POST http://www.chalet-tofane.net/obbp/
request	POST http://www.healthyloveforall.net/566f/
request	POST http://www.asiapartnars.online/tkmh/
request	POST http://www.yu12345.xyz/mnl8/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 30, 2024, 11:18 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 274432 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01253000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:18 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01251000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:18 a.m.	process_identifier: 2656 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:18 a.m.	process_identifier: 2772 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:26 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

ieUnatt.exe tried to sleep 168 seconds, actually delayed analysis time by 168 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044c00', u'virtual_address': u'0x00001000', u'entropy': 7.995432648189654, u'name': u'.text', u'virtual_size': u'0x00044af4'}

entropy

7.99543264819

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Formbook.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.dc
ALYac	Gen:Variant.Mikey.148734
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.148734
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Gen:Variant.Mikey.148734
K7GW	Trojan ( 00536d121 )
K7AntiVirus	Trojan ( 00536d121 )
Arcabit	Trojan.Mikey.D244FE
VirIT	Trojan.Win32.Formbook.GEN
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Formbook.AK
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Alibaba	Trojan:Win32/FormBook.90841b29
NANO-Antivirus	Trojan.Win32.Formbook.kshkpi
MicroWorld-eScan	Gen:Variant.Mikey.148734
Rising	Trojan.Kryptik@AI.84 (RDML:Vgxum8h8XAOdpkOTCVgJ5g)
Emsisoft	Gen:Variant.Mikey.148734 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
TrendMicro	TROJ_GEN.R002C0DIQ24
McAfeeD	Real Protect-LS!AEF23E8A6616
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.formbook
Sophos	Troj/Formbook-A
Ikarus	Trojan.Win32.Formbook
FireEye	Generic.mg.aef23e8a66166187
Webroot	W32.Trojan.TR.Crypt.ZPACK
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan/Win32.Formbook.x
Kingsoft	Win32.Trojan-Spy.Noon.biiv
Gridinsoft	Trojan.Win32.Kryptik.sa
Xcitium	Malware@#1ywrx9dc2x8a0
Microsoft	Trojan:Win32/FormBook.NF!MTB
GData	Gen:Variant.Mikey.148734
Varist	W32/ABTrojan.NGYR-1512
AhnLab-V3	Infostealer/Win.Formbook.R647393
McAfee	Artemis!AEF23E8A6616
DeepInstinct	MALICIOUS
VBA32	Virus.Goblin.2521
Malwarebytes	Spyware.FormBook
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DIQ24
Tencent	Win32.Trojan-Spy.Noon.Zwhl
huorong	TrojanSpy/Formbook.ag

bin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All